From 7083deb773b9c12ef56da6a934f9f0daca95d8ba Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 29 Jan 2025 14:11:40 -0800 Subject: add affinity system --- config/nix.org | 1089 +++++++++++++++++++++++--------------- nix/flake.nix | 69 +-- nix/modules/configuration.nix | 53 +- nix/modules/cuda.nix | 9 + nix/modules/default.nix | 21 +- nix/modules/dovecot.nix | 8 + nix/modules/git-daemon.nix | 9 + nix/modules/home/default.nix | 220 ++++---- nix/modules/i2pd.nix | 11 + nix/modules/nginx.nix | 47 ++ nix/modules/nvidia.nix | 21 + nix/modules/nvme-simple.nix | 35 ++ nix/modules/ollama.nix | 8 + nix/modules/postfix.nix | 8 + nix/modules/xserver.nix | 8 +- nix/systems/affinity/default.nix | 13 + 16 files changed, 1042 insertions(+), 587 deletions(-) create mode 100644 nix/modules/cuda.nix create mode 100644 nix/modules/dovecot.nix create mode 100644 nix/modules/git-daemon.nix create mode 100644 nix/modules/i2pd.nix create mode 100644 nix/modules/nginx.nix create mode 100644 nix/modules/nvidia.nix create mode 100644 nix/modules/nvme-simple.nix create mode 100644 nix/modules/ollama.nix create mode 100644 nix/modules/postfix.nix create mode 100644 nix/systems/affinity/default.nix diff --git a/config/nix.org b/config/nix.org index aed87f6..d443470 100644 --- a/config/nix.org +++ b/config/nix.org @@ -25,18 +25,18 @@ so that adding new configurations that add modifications is made simple. nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.1"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; }; nur.url = "github:nix-community/NUR"; @@ -48,46 +48,55 @@ so that adding new configurations that add modifications is made simple. outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { nixosConfigurations = { - installer = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ( - { pkgs, modulesPath, ... }: - { - imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; - } - ) - ./systems/installer/default.nix - ]; - }; - - continuity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - { nixpkgs.overlays = [ nur.overlays.default ]; } - { home-manager.extraSpecialArgs = attrs; } - - ./modules/sda-simple.nix - ./systems/continuity/default.nix - ]; - }; - - spontaneity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; - }; - - affinity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; - }; + installer = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ( + { pkgs, modulesPath, ... }: + { + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + } + ) + ./systems/installer/default.nix + ]; + }; + + continuity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + + ./modules/sda-simple.nix + ./systems/continuity/default.nix + ]; + }; + + affinity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + ./modules/nvme-simple.nix + ./systems/affinity/default.nix + ]; + }; + + spontaneity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; + }; }; }; } @@ -176,82 +185,83 @@ largely self-documenting. Again, these are self documenting variables that you may see used below. These are to be used under ~default.nix~ in the ~systems~ folder. #+begin_src nix :tangle ../nix/modules/default.nix -{ lib, config, pkgs, ... }: -{ - imports = [ - ./configuration.nix - ./home/home.nix - ./vars.nix - ]; + { lib, config, pkgs, ... }: + { + imports = [ + ./configuration.nix + ./home/home.nix + ./vars.nix + ]; - options = { - monorepo = { - profiles = { - cuda.enable = lib.mkEnableOption "Enables CUDA support"; - documentation.enable = lib.mkEnableOption "Enables documentation on system."; - secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; - pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; - tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; - home.enable = lib.mkEnableOption "Enables home user"; + options = { + monorepo = { + profiles = { + cuda.enable = lib.mkEnableOption "Enables CUDA support"; + documentation.enable = lib.mkEnableOption "Enables documentation on system."; + secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; + pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; + tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; + home.enable = lib.mkEnableOption "Enables home user"; + server.enable = lib.mkEnableOption "Enables server services"; + }; }; }; - }; - - config = { - home-manager.users."${config.monorepo.vars.userName}" = { - programs.home-manager.enable = config.monorepo.profiles.home.enable; - }; - environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [ - linux-manual - man-pages - man-pages-posix - ]); + config = { + home-manager.users."${config.monorepo.vars.userName}" = { + programs.home-manager.enable = config.monorepo.profiles.home.enable; + }; - monorepo = { - profiles = { - documentation.enable = lib.mkDefault true; - pipewire.enable = lib.mkDefault true; - tor.enable = lib.mkDefault true; - home.enable = lib.mkDefault true; + environment.systemPackages = lib.mkIf config.monorepo.profiles.documentation.enable (with pkgs; [ + linux-manual + man-pages + man-pages-posix + ]); + + monorepo = { + profiles = { + documentation.enable = lib.mkDefault true; + pipewire.enable = lib.mkDefault true; + tor.enable = lib.mkDefault true; + home.enable = lib.mkDefault true; + }; }; }; - }; -} + } #+end_src ** X11 My Xorg configuration is used as a backup for when wayland applications don't work. Note that using this configuration is extremely inefficient and my i3 configuration is unoptimized. Still, it is suitable for using Krita. #+begin_src nix :tangle ../nix/modules/xserver.nix -{ lib, pkgs, ... }: -{ - services.xserver = { - enable = lib.mkDefault true; - displayManager = { - startx.enable = true; - }; + { lib, config, pkgs, ... }: + { + services.xserver = { + enable = lib.mkDefault true; + displayManager = { + startx.enable = true; + }; - windowManager = { - i3 = { - enable = true; - package = pkgs.i3-gaps; + windowManager = { + i3 = { + enable = true; + package = pkgs.i3-gaps; + }; }; - }; - desktopManager = { - runXdgAutostartIfNone = true; - }; + desktopManager = { + runXdgAutostartIfNone = true; + }; - xkb = { - layout = "us"; - variant = ""; - options = "caps:escape"; - }; + xkb = { + layout = "us"; + variant = ""; + options = "caps:escape"; + }; - videoDrivers = []; - }; -} + videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []); + }; + } #+end_src You should add your own video drivers in a custom machine configuration. ** Pipewire @@ -345,6 +355,155 @@ distribution soon, and I'm waiting on that. }; } #+end_src +** i2pd +I use i2p for some p2p connections. We enable it with the server profile: +#+begin_src nix :tangle ../nix/modules/i2pd.nix + { config, lib, ... }: + { + services.i2pd = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + address = "0.0.0.0"; + inTunnels = { + }; + outTunnels = { + }; + }; + } +#+end_src +** Ollama +Use ollama for serving large language models to my other computers. +#+begin_src nix :tangle ../nix/modules/ollama.nix + { config, lib, ... }: + { + services.ollama = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + acceleration = "cuda"; + host = "0.0.0.0"; + }; + } +#+end_src +** Dovecot +My server sets up dovecot in order to use imaps. +#+begin_src nix :tangle ../nix/modules/dovecot.nix + { config, lib, ... }: + { + services.dovecot2 = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + enableImap = true; + enablePop3 = true; + }; + } +#+end_src +** Postfix +Use postfix as an smtps server. +#+begin_src nix :tangle ../nix/modules/postfix.nix + { config, lib, ... }: + { + services.postfix = { + enable = true; + config = { + }; + }; + } +#+end_src +** Git Server +#+begin_src nix :tangle ../nix/modules/git-daemon.nix + { config, lib, ... }: + { + services.gitDaemon = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + exportAll = true; + listenAddress = "0.0.0.0"; + basePath = "/srv/git"; + }; + } +#+end_src +** Nginx +#+begin_src nix :tangle ../nix/modules/nginx.nix + { config, services, ... }: + { + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + + virtualHosts = { + "ret2pop.net" = { + # addSSL = true; + # enableACME = true; + root = "/home/preston/ret2pop-website/"; + }; + }; + }; + } +#+end_src +** Nvidia +#+begin_src nix :tangle ../nix/modules/nvidia.nix + { config, lib, pkgs, ... }: + { + hardware = { + graphics.extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + nvidia-vaapi-driver + ]; + + nvidia = { + modesetting.enable = true; + powerManagement = { + enable = true; + finegrained = false; + }; + nvidiaSettings = true; + open = false; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + }; + } +#+end_src +** CUDA +#+begin_src nix :tangle ../nix/modules/cuda.nix + { config, lib, pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + cudatoolkit + cudaPackages.cudnn + cudaPackages.libcublas + linuxPackages.nvidia_x11 + ]; + } +#+end_src ** Main Configuration This is the backbone of the all the NixOS configurations, with all these options being shared because they enhance security. @@ -357,6 +516,14 @@ because they enhance security. ./pipewire.nix ./tor.nix ./kubo.nix + ./nvidia.nix + ./cuda.nix + ./nginx.nix + ./git-daemon.nix + ./postfix.nix + ./dovecot.nix + ./ollama.nix + ./i2pd.nix ]; documentation = { @@ -367,10 +534,10 @@ because they enhance security. environment = { etc = { - securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; }; }; @@ -378,13 +545,13 @@ because they enhance security. coredump.enable = false; network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; tmpfiles.settings = { - "restricthome"."/home/*".Z.mode = "~0700"; + "restricthome"."/home/*".Z.mode = "~0700"; - "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; - }; + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; }; }; @@ -393,126 +560,126 @@ because they enhance security. extraModulePackages = [ ]; initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" - ]; - - kernelModules = [ ]; + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" + ]; + + kernelModules = [ ]; }; lanzaboote = { - enable = config.monorepo.profiles.secureBoot.enable; - pkiBundle = "/etc/secureboot"; + enable = config.monorepo.profiles.secureBoot.enable; + pkiBundle = "/etc/secureboot"; }; loader = { - systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); - efi.canTouchEfiVariables = true; + systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); + efi.canTouchEfiVariables = true; }; - + kernelModules = [ - "snd-seq" - "snd-rawmidi" - "xhci_hcd" - "kvm_intel" + "snd-seq" + "snd-rawmidi" + "xhci_hcd" + "kvm_intel" ]; kernelParams = [ - "debugfs=off" - "page_alloc.shuffle=1" - "slab_nomerge" - "page_poison=1" - - # madaidan - "pti=on" - "randomize_kstack_offset=on" - "vsyscall=none" - "module.sig_enforce=1" - "lockdown=confidentiality" - - # cpu - "spectre_v2=on" - "spec_store_bypass_disable=on" - "tsx=off" - "tsx_async_abort=full,nosmt" - "mds=full,nosmt" - "l1tf=full,force" - "nosmt=force" - "kvm.nx_huge_pages=force" - - # hardened - "extra_latent_entropy" - - # mineral - "init_on_alloc=1" - "random.trust_cpu=off" - "random.trust_bootloader=off" - "intel_iommu=on" - "amd_iommu=force_isolation" - "iommu=force" - "iommu.strict=1" - "init_on_free=1" - "quiet" - "loglevel=0" + "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + "page_poison=1" + + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + "module.sig_enforce=1" + "lockdown=confidentiality" + + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "tsx_async_abort=full,nosmt" + "mds=full,nosmt" + "l1tf=full,force" + "nosmt=force" + "kvm.nx_huge_pages=force" + + # hardened + "extra_latent_entropy" + + # mineral + "init_on_alloc=1" + "random.trust_cpu=off" + "random.trust_bootloader=off" + "intel_iommu=on" + "amd_iommu=force_isolation" + "iommu=force" + "iommu.strict=1" + "init_on_free=1" + "quiet" + "loglevel=0" ]; blacklistedKernelModules = [ - "netrom" - "rose" - - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" + "netrom" + "rose" + + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; kernel.sysctl = { - "kernel.ftrace_enabled" = false; - "net.core.bpf_jit_enable" = false; - "kernel.kptr_restrict" = 2; - - # madaidan - "vm.swappiness" = 1; - "vm.unprivileged_userfaultfd" = 0; - "dev.tty.ldisc_autoload" = 0; - "kernel.kexec_load_disabled" = 1; - "kernel.sysrq" = 4; - "kernel.perf_event_paranoid" = 3; - - # net - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; + + # madaidan + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; + + # net + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; }; }; @@ -520,12 +687,12 @@ because they enhance security. useDHCP = lib.mkDefault true; hostName = config.monorepo.vars.hostName; networkmanager = { - enable = true; - # wifi.macAddress = ""; + enable = true; + # wifi.macAddress = ""; }; firewall = { - allowedTCPPorts = [ ]; - allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; }; }; @@ -536,16 +703,16 @@ because they enhance security. pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable; bluetooth = { - enable = true; - powerOnBoot = true; + enable = true; + powerOnBoot = true; }; }; services = { chrony = { - enable = true; - enableNTS = true; - servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; + enable = true; + enableNTS = true; + servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; }; jitterentropy-rngd.enable = true; @@ -558,12 +725,12 @@ because they enhance security. # Misc. udev = { - extraRules = ''''; - packages = with pkgs; [ - platformio-core - platformio-core.udev - openocd - ]; + extraRules = ''''; + packages = with pkgs; [ + platformio-core + platformio-core.udev + openocd + ]; }; printing.enable = true; @@ -580,20 +747,20 @@ because they enhance security. nixpkgs = { hostPlatform = lib.mkDefault "x86_64-linux"; config = { - allowUnfree = true; - cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; + allowUnfree = true; + cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; }; }; security = { apparmor = { - enable = true; - killUnconfinedConfinables = true; + enable = true; + killUnconfinedConfinables = true; }; pam.loginLimits = [ - { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } - { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } + { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } + { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } ]; rtkit.enable = true; @@ -603,9 +770,9 @@ because they enhance security. forcePageTableIsolation = true; tpm2 = { - enable = true; - pkcs11.enable = true; - tctiEnvironment.enable = true; + enable = true; + pkcs11.enable = true; + tctiEnvironment.enable = true; }; auditd.enable = true; @@ -618,9 +785,9 @@ because they enhance security. enable = true; wlr.enable = true; extraPortals = with pkgs; [ - xdg-desktop-portal-gtk - xdg-desktop-portal - xdg-desktop-portal-hyprland + xdg-desktop-portal-gtk + xdg-desktop-portal + xdg-desktop-portal-hyprland ]; config.common.default = "*"; }; @@ -632,19 +799,24 @@ because they enhance security. vim curl ]; - + users.users = { root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" ]; + git = { + isSystemUser = true; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; + }; "${config.monorepo.vars.userName}" = { - initialPassword = "${config.monorepo.vars.userName}"; - isNormalUser = true; - description = config.monorepo.vars.fullName; - extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; - shell = pkgs.zsh; - packages = []; + initialPassword = "${config.monorepo.vars.userName}"; + isNormalUser = true; + description = config.monorepo.vars.fullName; + extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; + shell = pkgs.zsh; + packages = []; }; }; @@ -695,6 +867,45 @@ you will have to import that configuration in your ~systems/xxx/default.nix~. }; } #+end_src +*** NVME +For my nvme drives. +#+begin_src nix :tangle ../nix/modules/nvme-simple.nix +{ + disko.devices = { + disk = { + my-disk = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + priority = 1; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + priority = 2; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} +#+end_src ** Home Time for my home user configuration, which is managed by home-manager. First we start off with this module to enter us into the home-manager namespace: @@ -718,181 +929,199 @@ in the top level from now on will implicitly be located at As you can see, I have my installed home packages installed based on the profiles enabled. Also, I have many imports that we'll go through next. #+begin_src nix :tangle ../nix/modules/home/default.nix -{ lib, config, pkgs, ... }: -{ - imports = [ - ../vars.nix - ./fcitx.nix - ./secrets.nix - ./emacs.nix - ./firefox.nix - ./git.nix - ./hyprland.nix - ./mpv.nix - ./yt-dlp.nix - ./wofi.nix - ./kitty.nix - ./waybar.nix - ./zsh.nix - ./mbsync.nix - ./msmtp.nix - ./gammastep.nix - ./mpd.nix - ./mako.nix - ./user.nix - ]; + { lib, config, pkgs, ... }: + { + imports = [ + ../vars.nix + ./fcitx.nix + ./secrets.nix + ./emacs.nix + ./firefox.nix + ./git.nix + ./hyprland.nix + ./mpv.nix + ./yt-dlp.nix + ./wofi.nix + ./kitty.nix + ./waybar.nix + ./zsh.nix + ./mbsync.nix + ./msmtp.nix + ./gammastep.nix + ./mpd.nix + ./mako.nix + ./user.nix + ]; - options = { - monorepo.profiles = { - enable = lib.mkEnableOption "Enables home manager desktop configuration"; - # Programs - lang-c.enable = lib.mkEnableOption "Enables C language support"; - lang-sh.enable = lib.mkEnableOption "Enables sh language support"; - lang-rust.enable = lib.mkEnableOption "Enables Rust language support"; - lang-python.enable = lib.mkEnableOption "Enables python language support"; - lang-sol.enable = lib.mkEnableOption "Enables solidity language support"; - lang-openscad.enable = lib.mkEnableOption "Enables openscad language support"; - lang-js.enable = lib.mkEnableOption "Enables javascript language support"; - lang-nix.enable = lib.mkEnableOption "Enables nix language support"; - lang-coq.enable = lib.mkEnableOption "Enables coq language support"; - - crypto.enable = lib.mkEnableOption "Enables various cryptocurrency wallets"; - art.enable = lib.mkEnableOption "Enables various art programs"; - music.enable = lib.mkEnableOption "Enables mpd"; - - hyprland = { - enable = lib.mkEnableOption "Enables hyprland"; - monitors = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ - "HDMI-A-1" - "eDP-1" - "DP-2" - "DP-3" - "LVDS-1" - ]; - example = []; - description = "Hyprland monitors"; - }; - }; - email = { - email = lib.mkOption { - type = lib.types.str; - default = "ret2pop@gmail.com"; - example = "john@example.com"; - description = "Email address and imaps/smtps account"; - }; - imapsServer = lib.mkOption { - type = lib.types.str; - default = "imap.gmail.com"; - example = "imap.example.com"; - description = "imaps server address"; - }; - smtpsServer = lib.mkOption { - type = lib.types.str; - default = "smtp.gmail.com"; - example = "smtp.example.com"; - description = "smtp server address"; - }; - enable = lib.mkEnableOption "Enables email"; + options = { + monorepo.profiles = { + enable = lib.mkEnableOption "Enables home manager desktop configuration"; + # Programs + lang-c.enable = lib.mkEnableOption "Enables C language support"; + lang-sh.enable = lib.mkEnableOption "Enables sh language support"; + lang-rust.enable = lib.mkEnableOption "Enables Rust language support"; + lang-python.enable = lib.mkEnableOption "Enables python language support"; + lang-sol.enable = lib.mkEnableOption "Enables solidity language support"; + lang-openscad.enable = lib.mkEnableOption "Enables openscad language support"; + lang-js.enable = lib.mkEnableOption "Enables javascript language support"; + lang-nix.enable = lib.mkEnableOption "Enables nix language support"; + lang-coq.enable = lib.mkEnableOption "Enables coq language support"; + + crypto.enable = lib.mkEnableOption "Enables various cryptocurrency wallets"; + art.enable = lib.mkEnableOption "Enables various art programs"; + music.enable = lib.mkEnableOption "Enables mpd"; + workstation.enable = lib.mkEnableOption "Enables workstation packages (music production and others)"; + + hyprland = { + enable = lib.mkEnableOption "Enables hyprland"; + monitors = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + "HDMI-A-1" + "eDP-1" + "DP-2" + "DP-3" + "LVDS-1" + ]; + example = []; + description = "Hyprland monitors"; + }; + }; + email = { + email = lib.mkOption { + type = lib.types.str; + default = "ret2pop@gmail.com"; + example = "john@example.com"; + description = "Email address and imaps/smtps account"; + }; + imapsServer = lib.mkOption { + type = lib.types.str; + default = "imap.gmail.com"; + example = "imap.example.com"; + description = "imaps server address"; + }; + smtpsServer = lib.mkOption { + type = lib.types.str; + default = "smtp.gmail.com"; + example = "smtp.example.com"; + description = "smtp server address"; + }; + enable = lib.mkEnableOption "Enables email"; + }; }; }; - }; - config = { - home.packages = (if config.monorepo.profiles.email.enable then [ pkgs.mu ] else []) - ++ - (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ - autobuild - clang - gdb - gnumake - bear - clang-tools - ]) else []) - ++ - (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ - nodejs - bun - yarn - typescript - vscode-langservers-extracted - ]) else []) - ++ - (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ - cargo - rust-analyzer - rustfmt - ]) else []) - ++ - (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ - poetry - python3 - python312Packages.jedi - ]) else []) - ++ - (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ - solc - ]) else []) - ++ - (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ - openscad - openscad-lsp - ]) else []) - ++ - (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ - bash-language-server - ]) else []) - ++ - (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ - coq - ]) else []) - ++ - (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ - nil - nixd - nixfmt-rfc-style - ]) else []) - ++ - (if config.monorepo.profiles.crypto.enable then (with pkgs; [ - bitcoin - electrum - monero-cli - monero-gui - ]) else []) - ++ - (if config.monorepo.profiles.art.enable then (with pkgs; [ - inkscape - krita - ]) else []) - ++ - (if config.monorepo.profiles.music.enable then (with pkgs; [ - mpc-cli - sox - ]) else []); - - monorepo.profiles = { - enable = lib.mkDefault true; - music.enable = lib.mkDefault true; - hyprland.enable = lib.mkDefault true; - email.enable = lib.mkDefault true; - - # Programming - lang-c.enable = lib.mkDefault true; - lang-rust.enable = lib.mkDefault true; - lang-python.enable = lib.mkDefault true; - lang-sol.enable = lib.mkDefault true; - lang-sh.enable = lib.mkDefault true; - lang-openscad.enable = lib.mkDefault true; - lang-js.enable = lib.mkDefault true; - lang-nix.enable = lib.mkDefault true; - lang-coq.enable = lib.mkDefault true; - - crypto.enable = lib.mkDefault true; - art.enable = lib.mkDefault true; + config = { + home.packages = (if config.monorepo.profiles.email.enable then [ pkgs.mu ] else []) + ++ + (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ + autobuild + clang + gdb + gnumake + bear + clang-tools + ]) else []) + ++ + (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ + nodejs + bun + yarn + typescript + vscode-langservers-extracted + ]) else []) + ++ + (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ + cargo + rust-analyzer + rustfmt + ]) else []) + ++ + (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ + poetry + python3 + python312Packages.jedi + ]) else []) + ++ + (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ + solc + ]) else []) + ++ + (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ + openscad + openscad-lsp + ]) else []) + ++ + (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ + bash-language-server + ]) else []) + ++ + (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ + coq + ]) else []) + ++ + (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ + nil + nixd + nixfmt-rfc-style + ]) else []) + ++ + (if config.monorepo.profiles.crypto.enable then (with pkgs; [ + bitcoin + electrum + monero-cli + monero-gui + ]) else []) + ++ + (if config.monorepo.profiles.art.enable then (with pkgs; [ + inkscape + krita + ]) else []) + ++ + (if config.monorepo.profiles.music.enable then (with pkgs; [ + mpc-cli + sox + ]) else []) + ++ + (if config.monorepo.profiles.workstation.enable then (with pkgs; [ + alsa-utils + alsa-scarlett-gui + ardour + audacity + blender + fluidsynth + qjackctl + qsynth + qpwgraph + imagemagick + inkscape + kdenlive + kicad + ]) else []); + + monorepo.profiles = { + enable = lib.mkDefault true; + music.enable = lib.mkDefault true; + hyprland.enable = lib.mkDefault true; + email.enable = lib.mkDefault true; + + # Programming + lang-c.enable = lib.mkDefault true; + lang-rust.enable = lib.mkDefault true; + lang-python.enable = lib.mkDefault true; + lang-sol.enable = lib.mkDefault true; + lang-sh.enable = lib.mkDefault true; + lang-openscad.enable = lib.mkDefault true; + lang-js.enable = lib.mkDefault true; + lang-nix.enable = lib.mkDefault true; + lang-coq.enable = lib.mkDefault true; + + crypto.enable = lib.mkDefault true; + art.enable = lib.mkDefault true; + workstation.enable = lib.mkDefault true; + }; }; - }; -} + } #+end_src *** Firefox I conditionally enable metamask based on the cryptocurrency option. Everything else here should @@ -2327,6 +2556,22 @@ This is pretty understandable, if you understand all the above. ]; } #+end_src +** Affinity +#+begin_src nix :tangle ../nix/systems/affinity/default.nix + { config, lib, ... }: + { + imports = [ + ../../modules/default.nix + ]; + config.monorepo = { + profiles = { + server.enable = true; + cuda.enable = true; + }; + vars.hostName = "affinity"; + }; + } +#+end_src ** Installer My installer installs my systems almost completely without interaction. You can also make them install the exact version of the system that you want it to by pinning the commits to make it diff --git a/nix/flake.nix b/nix/flake.nix index 2efc624..2420325 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -29,44 +29,53 @@ outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { nixosConfigurations = { installer = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ( - { pkgs, modulesPath, ... }: - { - imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; - } - ) - ./systems/installer/default.nix - ]; + system = "x86_64-linux"; + modules = [ + ( + { pkgs, modulesPath, ... }: + { + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + } + ) + ./systems/installer/default.nix + ]; }; continuity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - { nixpkgs.overlays = [ nur.overlays.default ]; } - { home-manager.extraSpecialArgs = attrs; } + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } - ./modules/sda-simple.nix - ./systems/continuity/default.nix - ]; + ./modules/sda-simple.nix + ./systems/continuity/default.nix + ]; }; - spontaneity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; + affinity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + ./modules/nvme-simple.nix + ./systems/affinity/default.nix + ]; }; - affinity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; + spontaneity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; }; }; }; diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 4387767..4f821e2 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -6,6 +6,14 @@ ./pipewire.nix ./tor.nix ./kubo.nix + ./nvidia.nix + ./cuda.nix + ./nginx.nix + ./git-daemon.nix + ./postfix.nix + ./dovecot.nix + ./ollama.nix + ./i2pd.nix ]; documentation = { @@ -17,9 +25,9 @@ environment = { etc = { securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; }; }; @@ -30,9 +38,9 @@ "restricthome"."/home/*".Z.mode = "~0700"; "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; + mode = "0000"; + user = "root"; + group = "root"; }; }; }; @@ -43,15 +51,15 @@ initrd = { availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" ]; kernelModules = [ ]; @@ -66,7 +74,7 @@ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); efi.canTouchEfiVariables = true; }; - + kernelModules = [ "snd-seq" "snd-rawmidi" @@ -209,9 +217,9 @@ udev = { extraRules = ''''; packages = with pkgs; [ - platformio-core - platformio-core.udev - openocd + platformio-core + platformio-core.udev + openocd ]; }; @@ -281,12 +289,17 @@ vim curl ]; - + users.users = { root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" ]; + git = { + isSystemUser = true; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; + }; "${config.monorepo.vars.userName}" = { initialPassword = "${config.monorepo.vars.userName}"; isNormalUser = true; diff --git a/nix/modules/cuda.nix b/nix/modules/cuda.nix new file mode 100644 index 0000000..0c90278 --- /dev/null +++ b/nix/modules/cuda.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + cudatoolkit + cudaPackages.cudnn + cudaPackages.libcublas + linuxPackages.nvidia_x11 + ]; +} diff --git a/nix/modules/default.nix b/nix/modules/default.nix index 9d06837..9cdd616 100644 --- a/nix/modules/default.nix +++ b/nix/modules/default.nix @@ -9,12 +9,13 @@ options = { monorepo = { profiles = { - cuda.enable = lib.mkEnableOption "Enables CUDA support"; - documentation.enable = lib.mkEnableOption "Enables documentation on system."; - secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; - pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; - tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; - home.enable = lib.mkEnableOption "Enables home user"; + cuda.enable = lib.mkEnableOption "Enables CUDA support"; + documentation.enable = lib.mkEnableOption "Enables documentation on system."; + secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; + pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; + tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; + home.enable = lib.mkEnableOption "Enables home user"; + server.enable = lib.mkEnableOption "Enables server services"; }; }; }; @@ -32,10 +33,10 @@ monorepo = { profiles = { - documentation.enable = lib.mkDefault true; - pipewire.enable = lib.mkDefault true; - tor.enable = lib.mkDefault true; - home.enable = lib.mkDefault true; + documentation.enable = lib.mkDefault true; + pipewire.enable = lib.mkDefault true; + tor.enable = lib.mkDefault true; + home.enable = lib.mkDefault true; }; }; }; diff --git a/nix/modules/dovecot.nix b/nix/modules/dovecot.nix new file mode 100644 index 0000000..2921ad8 --- /dev/null +++ b/nix/modules/dovecot.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.dovecot2 = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + enableImap = true; + enablePop3 = true; + }; +} diff --git a/nix/modules/git-daemon.nix b/nix/modules/git-daemon.nix new file mode 100644 index 0000000..e71356e --- /dev/null +++ b/nix/modules/git-daemon.nix @@ -0,0 +1,9 @@ +{ config, lib, ... }: +{ + services.gitDaemon = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + exportAll = true; + listenAddress = "0.0.0.0"; + basePath = "/srv/git"; + }; +} diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index a38ee24..1f87d57 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -39,117 +39,134 @@ crypto.enable = lib.mkEnableOption "Enables various cryptocurrency wallets"; art.enable = lib.mkEnableOption "Enables various art programs"; music.enable = lib.mkEnableOption "Enables mpd"; + workstation.enable = lib.mkEnableOption "Enables workstation packages (music production and others)"; hyprland = { - enable = lib.mkEnableOption "Enables hyprland"; - monitors = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ - "HDMI-A-1" - "eDP-1" - "DP-2" - "DP-3" - "LVDS-1" - ]; - example = []; - description = "Hyprland monitors"; - }; + enable = lib.mkEnableOption "Enables hyprland"; + monitors = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + "HDMI-A-1" + "eDP-1" + "DP-2" + "DP-3" + "LVDS-1" + ]; + example = []; + description = "Hyprland monitors"; + }; }; email = { - email = lib.mkOption { - type = lib.types.str; - default = "ret2pop@gmail.com"; - example = "john@example.com"; - description = "Email address and imaps/smtps account"; - }; - imapsServer = lib.mkOption { - type = lib.types.str; - default = "imap.gmail.com"; - example = "imap.example.com"; - description = "imaps server address"; - }; - smtpsServer = lib.mkOption { - type = lib.types.str; - default = "smtp.gmail.com"; - example = "smtp.example.com"; - description = "smtp server address"; - }; - enable = lib.mkEnableOption "Enables email"; + email = lib.mkOption { + type = lib.types.str; + default = "ret2pop@gmail.com"; + example = "john@example.com"; + description = "Email address and imaps/smtps account"; + }; + imapsServer = lib.mkOption { + type = lib.types.str; + default = "imap.gmail.com"; + example = "imap.example.com"; + description = "imaps server address"; + }; + smtpsServer = lib.mkOption { + type = lib.types.str; + default = "smtp.gmail.com"; + example = "smtp.example.com"; + description = "smtp server address"; + }; + enable = lib.mkEnableOption "Enables email"; }; }; }; config = { home.packages = (if config.monorepo.profiles.email.enable then [ pkgs.mu ] else []) - ++ - (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ - autobuild - clang - gdb - gnumake - bear - clang-tools - ]) else []) - ++ - (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ - nodejs - bun - yarn - typescript - vscode-langservers-extracted - ]) else []) - ++ - (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ - cargo - rust-analyzer - rustfmt - ]) else []) - ++ - (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ - poetry - python3 - python312Packages.jedi - ]) else []) - ++ - (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ - solc - ]) else []) - ++ - (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ - openscad - openscad-lsp - ]) else []) - ++ - (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ - bash-language-server - ]) else []) - ++ - (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ - coq - ]) else []) - ++ - (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ - nil - nixd - nixfmt-rfc-style - ]) else []) - ++ - (if config.monorepo.profiles.crypto.enable then (with pkgs; [ - bitcoin - electrum - monero-cli - monero-gui - ]) else []) - ++ - (if config.monorepo.profiles.art.enable then (with pkgs; [ - inkscape - krita - ]) else []) - ++ - (if config.monorepo.profiles.music.enable then (with pkgs; [ - mpc-cli - sox - ]) else []); + ++ + (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ + autobuild + clang + gdb + gnumake + bear + clang-tools + ]) else []) + ++ + (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ + nodejs + bun + yarn + typescript + vscode-langservers-extracted + ]) else []) + ++ + (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ + cargo + rust-analyzer + rustfmt + ]) else []) + ++ + (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ + poetry + python3 + python312Packages.jedi + ]) else []) + ++ + (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ + solc + ]) else []) + ++ + (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ + openscad + openscad-lsp + ]) else []) + ++ + (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ + bash-language-server + ]) else []) + ++ + (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ + coq + ]) else []) + ++ + (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ + nil + nixd + nixfmt-rfc-style + ]) else []) + ++ + (if config.monorepo.profiles.crypto.enable then (with pkgs; [ + bitcoin + electrum + monero-cli + monero-gui + ]) else []) + ++ + (if config.monorepo.profiles.art.enable then (with pkgs; [ + inkscape + krita + ]) else []) + ++ + (if config.monorepo.profiles.music.enable then (with pkgs; [ + mpc-cli + sox + ]) else []) + ++ + (if config.monorepo.profiles.workstation.enable then (with pkgs; [ + alsa-utils + alsa-scarlett-gui + ardour + audacity + blender + fluidsynth + qjackctl + qsynth + qpwgraph + imagemagick + inkscape + kdenlive + kicad + ]) else []); monorepo.profiles = { enable = lib.mkDefault true; @@ -170,6 +187,7 @@ crypto.enable = lib.mkDefault true; art.enable = lib.mkDefault true; + workstation.enable = lib.mkDefault true; }; }; } diff --git a/nix/modules/i2pd.nix b/nix/modules/i2pd.nix new file mode 100644 index 0000000..ef4f63f --- /dev/null +++ b/nix/modules/i2pd.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.i2pd = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + address = "0.0.0.0"; + inTunnels = { + }; + outTunnels = { + }; + }; +} diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix new file mode 100644 index 0000000..7d8a24a --- /dev/null +++ b/nix/modules/nginx.nix @@ -0,0 +1,47 @@ +{ config, services, ... }: +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; +''; + + virtualHosts = { + "ret2pop.net" = { + # addSSL = true; + # enableACME = true; + root = "/home/preston/ret2pop-website/"; + }; + }; + }; +} diff --git a/nix/modules/nvidia.nix b/nix/modules/nvidia.nix new file mode 100644 index 0000000..b59035c --- /dev/null +++ b/nix/modules/nvidia.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: +{ + hardware = { + opengl.extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + nvidia-vaapi-driver + ]; + + nvidia = { + modesetting.enable = true; + powerManagement = { + enable = true; + finegrained = false; + }; + nvidiaSettings = true; + open = false; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + }; +} diff --git a/nix/modules/nvme-simple.nix b/nix/modules/nvme-simple.nix new file mode 100644 index 0000000..665c17e --- /dev/null +++ b/nix/modules/nvme-simple.nix @@ -0,0 +1,35 @@ +{ + disko.devices = { + disk = { + my-disk = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + priority = 1; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + priority = 2; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/modules/ollama.nix b/nix/modules/ollama.nix new file mode 100644 index 0000000..f9f4dc9 --- /dev/null +++ b/nix/modules/ollama.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.ollama = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + acceleration = "cuda"; + host = "0.0.0.0"; + }; +} diff --git a/nix/modules/postfix.nix b/nix/modules/postfix.nix new file mode 100644 index 0000000..90eb253 --- /dev/null +++ b/nix/modules/postfix.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.postfix = { + enable = true; + config = { + }; + }; +} diff --git a/nix/modules/xserver.nix b/nix/modules/xserver.nix index 52ca559..d6f7ab1 100644 --- a/nix/modules/xserver.nix +++ b/nix/modules/xserver.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, config, pkgs, ... }: { services.xserver = { enable = lib.mkDefault true; @@ -8,8 +8,8 @@ windowManager = { i3 = { - enable = true; - package = pkgs.i3-gaps; + enable = true; + package = pkgs.i3-gaps; }; }; @@ -23,6 +23,6 @@ options = "caps:escape"; }; - videoDrivers = []; + videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []); }; } diff --git a/nix/systems/affinity/default.nix b/nix/systems/affinity/default.nix new file mode 100644 index 0000000..703103d --- /dev/null +++ b/nix/systems/affinity/default.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: +{ + imports = [ + ../../modules/default.nix + ]; + config.monorepo = { + profiles = { + server.enable = true; + cuda.enable = true; + }; + vars.hostName = "affinity"; + }; +} -- cgit